Posted
by
michaelon Friday May 17, 2002 @08:05AM
from the run-over-by-the-canyonero dept.

corebreech writes "The mighty New York Times (I think they might want you to register) is reporting that hackers posing as Ford employees have managed to pilfer some 13,000 credit reports (Quality is Job 1.) Supposedly the info isn't restricted to merely credit card numbers, but rather includes such delectable delights as address, SSN, bank account info and creditworthiness. Glad I take the subway." The original story was from the Boston Globe.

From the original Boston Globe story (couldn't be bothered to register at NYT):

Van Leeuwen of Ford said he thought the company had done everything it could to help the individuals affected by the security breach, and didn't plan to offer them any financial assistance.

Surely Ford have broken some law here ? In the U.K. there is something called the Data Protection Act, c'mon the U.S. has got to have some equivalent legislation.. They're not blaming it on hackers, they admit they don't know how the access code or whatever was taken !

The group that handles most of the credit processing for Ford Motor Company is The Associates [theassociates.com]. At least it was a few years ago. They were recently purchased by Citigroup. They also do home loans etc, and incidentally, are having some controversy regarding discrimination in loan practices (redlining). At any rate, security there was never what it should have been. There were quite a few systems around the various building where anyone could just walk up and access that kind of information. You could cross-reference by address also, or last name. What was worse, you didn't need a password, because it was embedded in the software. Some of my co-workers would occasionally run reports for their family and friends. All in all, I can't say I'm too surprised by this.

Hackers posing as employees of the Ford Motor Credit Company have in recent months harvested a trove of 13,000 credit reports -- a virtual one-stop shop for fraud and identity theft -- with data on consumers in affluent neighborhoods across the country.

The company said in a letter to the victims that computer intruders used an authorization code from Ford Credit to get the credit reports from Experian, one of three major reporting agencies.

Advertisement

"I've never seen anything of this size," a spokesman for Experian, Donald Girard, said. "Privacy is the hallmark of our business. We're extraordinarily concerned about the privacy issue here, and the trust factor."

The inquiries gave the intruders access to each victim's personal and financial information, including address, Social Security number, bank and credit card accounts and ratings of creditworthiness, which can be used to identify the best targets.

"This is not just a credit card number; this is the whole kazoo," said Richard Power, the editorial director for the Computer Security Institute, an industry trade group. A criminal could use the data to make credit card charges or even open bank and credit card accounts in the victim's name.

Thefts of credit records, Mr. Power said, are far more common than is reported. "The unique thing about this one," he said, "is that it has surfaced." The theft was first reported yesterday by The Boston Globe and The Detroit News.

Statistics on identity theft are hard to come by, with estimates ranging as high as 700,000 cases a year. Betsy Broder, the assistant director for planning and information of the Federal Trade Commission, said the commission received 86,000 complaints of identity theft last year.

Representatives of Ford Credit said they did not know how the hackers acquired the code, which was used by the company's office in Grand Rapids, Mich. The intruders focused on addresses in affluent neighborhoods, often in numeric sequence, said Rich Van Leeuwen, executive vice president at Ford Credit.

The company said it had sent letters via certified mail to all 13,000 people, urging them to contact Experian and the two other credit reporting giants, Equifax and TransUnion, and to report any evidence of abuse to the F.B.I.

The company has also worked with Experian to set up a phone line to let victims get their credit reports and help them resolve discrepancies.

Neither Ford Credit nor Experian has determined how many people have reported fraudulent charges or other problems. Mr. Girard said that Experian had received 2,700 calls since the letters started going out this month. Although the unauthorized inquiries began in April 2001, Ford first heard about the problem in February, Mr. Van Leeuwen said. Only 400 of the 13,000 victims were customers of Ford Credit, he said.

Dawn M. Clenney, a special agent at the F.B.I. office in Detroit, said that she could not comment, except to say, "We're on the case."

Mr. Girard, the Experian spokesman, said the company would work with the F.B.I. to catch and prosecute the intruders. "It just shows that today, even big companies can be victimized," he said. "it's a never-ending struggle against the bad guys."

Actually some states have laws requiring the credit report companies to give out a certain number of free reports a year. In Georgia (where I live) I get up to two free reports a year. Also, if you've been denied credit or employment based on information from your credit report, you are entitled to a free copy of the report from the reporting company the card provider/employer used.

As to your second point, I agree completely. At one point, Equifax was trying to gain control of medical records for people to link with the existing stuff. I'm not a fan of big government but Equifax,Transunion and Experian need to have STRICT government regulation because of the impact the information they carry can have on an individuals life. Forget that stupid cracker shit in "The Net". All it takes is a fucked up keystroke and you can't even rent an apartment.

The biggest piece of legislation I would love to see is this: Private companies are forbidden to use SSN's as customer identifiers. How fucking hard is it for a company to generate a random account number?

When these people got Ford's 'access codes' they essentially got their ID within the credit bureau. The credit bureaus trusted that Ford was 'honest' with their credit requests -- not asking for any sort of proof that the people for whom the credit reports were being requested had given their assent to have that data released.

As a result. these script kiddies^w^w^w Ford was able to get identity theft kits on a truckload of (mostly) rich people just based on their home addresses.

If anything is going to put a big "oomph" behind online privacy initiatives in the states, I think that this may be it.

I was the victim of ID theft. You do not want this to happen to you. Ever. It involves filing police reports, calling every company that showed up on your credit reports and providing all kinds of info to their fraud departments. It took me over a year and a half of phone calls, faxes and emails to straighten everything out. I'm still getting calls from creditors about unpaid credit cards and such that clearly aren't mine.

I think it's obvious that if the only thing between theives and your identity is your mom's maiden name, your address, and your SS number, that it's been made pretty freakin' easy for them.(Granted it's not quite that simple, but it's damn close)

One thing that struck me throughout the entire process of cleaning up my credit reports was that I was doing the cleaning up. Here are 3 companies that basically control whether you can ever buy a house, and when they screw up and allow someone to assume your identity using their services, it's the victim that's left picking up the pieces.

Call this telephone number. This number is maintained by the three credit reporting agencies and it allows you to "opt-out" of certain marketing games; basically, this means the three credit reporting agencies will no longer be allowed to give your credit report to marketers, but only to people with whom you actually have business.

Ford is a legitimate business; if you don't "opt-out," they can get a credit report on you. I opted out and I've never done business with Ford, so this story doesn't affect me.

Another nice thing about using this number to "opt-out": I no longer receive any junk mail. No more pre-approved credit cards, no more free offers, no more anything. I now look forward to checking my mail every day, as it only contains only bills and personal correspondence. I also say "put me on your do-not-call list" to telemarketers and I don't watch TV, so live in an almost completely ad-free world. It's a very nice world and I invite you in.